Paul Ballard's Weblog

I’m very happy to announce that our first pre-Beta release of the SharePoint Forms Based Authentication features that the Community Kit for SharePoint Internet/Extranet edition has been working on is available for download on CodePlex.  This solution builds on many of the things I created for the version on my website but adds significant improvents in management of users and roles.  This solution also gives administrators the ability to approve/deny membership before the user is added to the MembershipProvider database.  We still have more to do but we wanted to get this work out into the hands of the public so we can get any feedback you might have as early as possible.

I want to thank everybody who downloaded the source code for the project I created around Forms Based Authentication with SharePoint.  The work of the CKS:IEE team supercedes this project in terms of functionality and usability and so I won’t be offering any further support of the version I created myself.  Basically you’re better off using the CKS version as it will continue to grow in functionality and be more stable over time.

This was a group effort and so along with my relatively minor contribution you can thank Zac Smith, Edin Kapic, Brendon Schwartz, and Stacey Draper for making FBA easier and more useful in SharePoint.

Last year, I published a widely unread set of what I thought were humorous predictions for the technology world in 2007.  One of those items titled “AJAX 2.0” stated that Google would create a technology that makes it possible for web applications to access the local resources on the user computer, thereby recreating ActiveX.  This was an attempt at a joke aimed at the fervor with which the development industry jumped on the AJAX bandwagon after the technology had been around for years.

However, I just read a blog post about Google’s latest attempt claw its way out of the Internet and onto your desktop called Google “Gears” and sure enough its remarkably similar to what I described, in concept if not in implementation.  Hopefully, and given that this was released months ago and I’m just now hearing about it, the developer community will think twice before jumping on this technology and sending us back into the bad old days of browser based infectious diseases in the form of executable scripts.

I’ve been very pleasantly surprised with the number of people downloading the forms based authentication web parts I created.  I hope you find the code valuable.  I’ve also received via the comments section several questions about implementing one or more aspects of the solution.  I haven’t had time to answer many of these lately and so I thought my loyal readership (up to 3 now!) deserved to know why.

I’ve been working with the Community Kit for SharePoint team to create a new open source (more or less) SharePoint template for Internet/Extranets which includes as a major component a much more advanced Forms Based Authentication solution.  This project is on CodePlex at http://www.CodePlex.com/CKS.  You’ll see that the teams have already released an Enhanced Blog Edition.  In the CKS:IEE along with web parts for user self registration and password recovery, we’re looking to add administration of users and roles, automatic configuration of FBA, a membership approval process, and many other features that will make using FBA with SharePoint easier and faster.  In the meantime however, that means I won’t be able to get to all of your questions about the web parts from my web site.  I appreciate your comments and readership and will circle back to try to answer your questions when my load lightens up a bit.

Going to Tech-Ed ’07?  I’ll be there.  You can find me in the Technical Learning Center (Blue Section) Monday through Thursday showing off Smart Client development in Visual Studio 2005 and “Orcas”.  Stop by and say Hello!

My avid readers (both of you) know that I’ve done quite a bit of work around Outlook 2007 Form Regions in Visual Studio 2005 Tools for Office.  If you missed those posts, you can read more about them here and here.  Form Regions are a great way to add custom functionality to Outlook forms but there’s another way you can add features and Windows forms to all of the Office applications and unlike Form Regions (pre-Orcas) it’s really easy.  Therefore one of my favorite features is Custom Task Panes.

Adding a custom task pane couldn’t be much easier.  Just add a UserControl to your Add-in project and build any functionality you’d like inside that control.  You can use the databinding features of WinForms, third party controls, and even COM+ components.  Then to use that UserControl as a custom task pane just add it to the CustomTaskPaneCollection like below.

Dim ctp As Microsoft.Office.Tools.CustomTaskPane = Me.CustomTaskPanes.Add(New MyUserControl(), “Product List”)

You can then make the task pane visible either at startup or when the user clicks a button on the Ribbon.  For a great example of how to properly implement a custom task pane’s visibility check out Ken Getz’ MSDN Webcast.

 

By default a custom task pane is going to appear docked on the right side of the window for your application.  You can however specify where you want the custom task pane to display by using the DockPosition parameter.

ctp.DockPosition = Microsoft.Office.Core.MsoCTPDockPosition.msoCTPDockPositionBottom

The possible options for the DockPosition are:

• MsoCTPDockPosition.msoCTPDockPositionBottom


• MsoCTPDockPosition.msoCTPDockPositionFloating


• MsoCTPDockPosition.msoCTPDockPositionLeft


• MsoCTPDockPosition.msoCTPDockPositionRight


• MsoCTPDockPosition.msoCTPDockPositionTop

You can also respond to the user changing the task pane’s position by using the DockPositionChanged event. 

Private Sub CTP_DockPositionChanged(ByVal sender As Object, ByVal e As EventArgs)
        Dim ctp As Microsoft.Office.Tools.CustomTaskPane = CType(sender, Microsoft.Office.Tools.CustomTaskPane)
        ‘Do something meaningful here
End Sub

Lastly, you can restrict where the user can dock your task pane using the DockPositionRestrict property.  The possible options are:

• msoCTPDockPositionRestrictNoChange


• msoCTPDockPositionRestrictNoHorizontal


• msoCTPDockPositionRestrictNone


• msoCTPDockPositionRestrictNoVertical

And that ladies and gents is all there is to that.

Yesterday I had the honor of joining such names as Ken Getz, Tim Huckaby, and Robert Green by recording a webcast for MSDN in the VSTO Straight from the Experts Series.  In this webcast I demoed the FormRegionAddin templates I created for Visual Studio 2005 and showed how they worked under the covers to help make building Outlook 2007 Form Regions easier.  I also showed how the new Table object in the Outlook object model can greatly improve performance when working with itmes in folders. 

Before the show actually began, Mike Hernandez and I were on the phone together with Colleen the coordinator waiting for things to start when Mike started playing some truly incredible jazz guitar.  It’s a shame the rest of the audience couldn’t hear it. 

Much thanks to Mike for inviting me to participate and to Colleen for making it seem easy.  If you’d like to view the recording of the webcast, click here.  And if you have any questions or comments on the presentation by all means drop me a note here.

 

Kathleen McGrath has a great blog post about her favorite feature in the upcoming "Orcas" release of VSTO, the new Ribbon Designer.  The Ribbon Designer lets you extend the Office 2007 Ribbon interface with your own controls.  She even includes a video walkthrough of using the designer to create tabs, groups, and buttons.  She also points out some limitations in the Ribbon designer in that you can't directly reuse the button events from the Office product, i.e. you can't add a new button that calls Word's built-in Bold functionality.  Hopefully this is something that will be addressed in later CTPs.

In my prevous life as Editor for TheServerSide.NET, one of my favorite duties was to come up with ideas for .NET humor.  This took the form of several cartoons, "Top 10" lists, and one April Fool's news post that got MASSIVE linkage.  Unfortunately though, when a new humor item came out it tended to replace what was there and so prior cartoons where gone forever. 

But now TheServerSide.NET has re-released those cartoons and top 10 lists at http://www.theserverside.net/tt/cartoons/TalesFromTheServerSide.tss.  Here are the ones that I can personally take some amount of credit for.

1. Top 10 Things to be Thankful for in .NET
2. Web Services are Taking Over The World
3. The Joys of Test Driven Development 
4. Tragedy on the Information Superhighway 
5. SOAThe Only Tool You'll Ever Need
6. Unraveling the Mystery of the CTPs
7. High Anxiety
8. The Unusual SuspectsReformed
9. You Might Be A .NET Geek If…
10. Top 10 Names NOT Chosen For Windows Vista
11. MSDN Subscription PricingDecisions, Decisions
12. BizTalk Server 2006 Blasts Off… Sorta

 The actual cartoons were drawn by Chris Moujaes and the flash for the Top 10 Lists were created by webmaster extraordinaire Nuno Teixeira.

 

SharePoint 2007 and MOSS 2007 are built on ASP.Net 2.0 which means they can leverage many of the same features of ASP.Net 2.0 including the AspNetSqlMembershipProvider for use with Forms Based Authentication.  While the ability to use the SQL based authentication exists in SharePoint, the other features like user registration and password recovery are not available.  So having some time on my hands I decided to create a custom web part for FBA sites to allow users to login, register, and recover their password.

One thing I noticed while developing this web part for my own use is that the functionality of the standard ASP.Net controls wasn’t really sufficient.  In particular I have added the following functionality:

• 1. Made UserName and Password field prompts web part properties


• 2. Added option to request user’s First Name and Last Name when they are registering


• 3. Added option to request user’s Company Name when registering


• 4. Added basic CAPTCHA functionality to avoid robot registrations


• 5. Added functionality to automatically add the new user to a Site group specified by the administrator


• 6. Added functionality to update the User Information List with the name and company info entered during registration.

To get started you first have to set up your site to use Forms based authentication.  Rather than rehash how to do that here, I’ll provide a couple of links with the steps required.

Channel 9: http://channel9.msdn.com/ShowPost.aspx?PostID=299338
SharePoint Team Blog: http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx

Once you have your site ready for Forms based authentication, you need to install the solution containing the web part and the CAPTCHA handler.  You can do this using the setup.bat command file located in the bin\Debug directory for the project. 

Setup.bat /install /weburl http://localhost/ /siteurl http://localhost/

Once the features are installed, you’ll need to modify the web.config for the root site to add the assembly containing the utility methods used by both the web part and the CAPTCHA handler.

    <compilation batch=”false” debug=”false”>
      <assemblies>
        <add assembly=”BallardSoftware.SharePoint.FBA, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ac0a223a1bb0e47c” />
      </assemblies>

Next you’ll need to check to make sure the CAPTCHA feature is enabled.  To do this go to Site Settings->Site Features.  You should see the screen below:

NOTE:  In order to upload the .ASHX file to your site, you may have to go to Central Administration and temporarily remove the .ASHX extension from the list of blocked file types.

Now that the wiring is complete, you can add the Login/Registration web part to any page.  I’m using a basic team site template and so to add a web part, click on Site Actions->Edit Page.  Then click on Add a Web Part in any zone.  This will bring up the following window.  Scroll down to the Miscellaneous section and you’ll find the Login/Registration part.

After you click on Add, you’ll see the web part displayed in the zone you selected… or actually not.  Nothing is displayed in the web part at this time because you are currently authenticated and therefore don’t need to login or register.

The next step you’ll want to take is to set the options for the web part.  To do this click on Edit on the top right of the web part and choose “Modify Shared Web Part”.  This will bring up the tool pane on the right as shown below.

The first field is the group that new registrants should be added to.  The list is created from the groups currently defined for this web.  You’ll notice at the bottom of the tool pane are three collapsed sections.  These are “All”, “Login”, and “Registration”.  Each section contains options for that particular functionality.

The All section contains two text fields to allow you to set the prompt to be used for the UserName and Password fields regardless of which “mode” it is in.  The default is “User Name:” and “Password:”.  If you prefer your users to use an email address as their user name you can change the prompt here.

The Login section contains options for whether to allow the user to register themselves or ask for password resets.  If you only want to use the web part for logins, you can uncheck these boxes and the user will not be presented with the option to register or reset their password.  The buttons if shown, are added by the web part and given specific CSS definitions to allow you to change their alignment, style, etc.  The classes used are “fbaLogin”, “fbaLogin-regButton”, and “fbaLogin-resetBtn”.

The registration section contains a text field to allow you to specify a prompt to display above the registration section.  The default is “Sign Up For Your New Account”.  Also in this section are checkboxes to allow you to specify if you want the user to enter their first and last names and/or their company name.  Note that if you check these options, those fields become required.  Also note that “Company Name” is not a default field in the User Information List so if you want to use it you have to add it to the list manually with the name set to “Company Name”. 

Also shown is a checkbox that allows you to specify if you want to use the CAPTCHA feature for new registrations.  You can find out more information on CAPTCHA here.  This is a basic line of defense against automated registrations.

Click on “OK” and you’re ready to go.  Now sign out and you’ll see the Login/Registration part is displayed like this:

The “Remember me next time” option will work for the user by saving a cookie that will automatically authenticate them to the site at their next visit.  If the user clicks on the “Register” button, the web part changes to display as shown below:

Note that all fields are required and the password policy used is the one set in your web.config (or default if one is not set).  When the user enters the data correctly and clicks on “Create User” the user is created in the SQL database, then their information is updated in the User Information List (if it exists on that site) and the user is added to the group specified on the tool pane.  There are some tricks involved with making all of this happen but I’ll go into that in another post or you can just look at the source code and see how it’s done.

If from the login mode the user clicks on the “Reset Password” button the web part changes to display as shown.

The user can enter their username and then the security questions appear.  If the user enters them correctly a new password will be emailed to them.  Note that in order for the email to be sent (and an error not be displayed) you must have configured the SMTP server in the web.config.  Here is an example.

  <system.net>
    <mailSettings>
      <smtp from=”Admin@sharepoint.rochester-consulting.com”>
        <network host=”v-win2k3″ port=”25″ />
      </smtp>
    </mailSettings>

I’m sure that there are dozens of other features that can be added to this web part.  In particular, the next step is to create a means of managing users after they have registered themselves.  You can use the People and Groups to add and remove them from the site collection but they will still exist in the authentication database.  Rather than wait for that funcationlity though, I wanted to make this available now for those of you who may find it useful. 

These files are no longer available for download. Please see the latest code at http://www.codeplex.com/CKS for the latest in Forms Based Authentication for SharePoint 2007.

 

 

I’ve been thinking about AJAX a lot lately.  Those of you who have read my past blogs (and thanks to both of you) know that I’m a fan of Smart Client applications and have been fairly critical of the mass enthusiasm for all things AJAX.  But like any good architect I have to keep my options open and so I’ve been thinking about AJAX a lot lately.  And what I’ve noticed is that AJAX in fact has remarkable similarities to Smart Client development. 

Before I start explaining the architectural reasons why I think AJAX and Smart Client development is so similar let me explain why I consider this to be a “good thing”.  The primary tenets of a Smart Client application are:

1. It uses local resources and provides a rich user experience


2. It exchanges data across a network, Intranet or Internet


3. It can function without a connection


4. It is easy to deploy

Obviously, number 3 is out for AJAX applications but the rest can be accomplished via AJAX if the application is architected correctly.  They key advantage to smart client applications, in my opinion, is the use of local resources.  One of the most underutilized local resources in a browser world is the CPU on the client machine.  While browsing even complex sites like MSDN my CPU rarely goes beyond 15% capacity.  Making that resource available to your applications for performing repetitive GUI tasks while lowering the need for more and bigger server hardware is where I think AJAX has the ability to make the most impact on application development. 

Another key feature of Smart Clients not addressed in the tenets listed above is that the data sent between disparate servers and clients doesn’t include UI markup which can significantly improve an applications performance.  What’s more AJAX can broaden the reach of your application beyond that of a Smart Client application to non-Windows environments.  This is all serious goodness, if not quite the greatness of a completely disconnected application.

Consider web development with AJAX from a 10,000 foot view.  You have the standard server scenario, one or more application servers reading data from a SQL database somewhere.  In the old Web 1.0 world, a browser would request a page and the application server would combine the data with the UI and spit out a representation of the UI via HTML to the browser which would then render the results; a typical client/server relationship.  However AJAX allows for a more distributed model where the application server can focus on performing business logic and handling requests while the JavaScript running on the client renders data to the user by manipulating the browser DOM.  This in effect moves the UI processing to the client where, in my opinion, such processing belongs.  Note that I’m not saying that this is how many AJAX enabled browser applications are being built, but the capability is there.

In this diagram I show just how similar the architectural model for an AJAX enabled browser application is to that of a standard Smart Client application.  Notice only the labels on the boxes change.

Figure 1.

If you consider each portion of the application not by technology but by its responsibilities the similarity becomes clear. 

Application Server
AJAX:  In an AJAX enabled application much of the actual business functionality is accessed via web service calls (or static method calls which I consider a step in the wrong direction architecturally).  Data is sent and received in XML or JSON format over HTTP.  The HTML, CSS, images, etc. are all downloaded on demand by the browser and then stored on the client machine in the temporary internet files folder.  Little of the UI processing is done at this point beyond the combination of ASPX with ASCX controls.  This frees the server up to handle the more “chatty” but also more flexible interface with the client.
Smart Client:  In a smart client application, the application server provides the same access to business functionality via services (ASMX or WCF).  Data is sent and received as XML via SOAP.  EXEs, DLLs, and other content are downloaded as needed and stored in the user’s profile directories.  All of the UI processing is performed on the client, once again freeing up the application server to handle service requests.

Execution Environment
AJAX:  In an AJAX enabled browser application the browser itself is the execution environment.  It has the responsibility to manage security and protect the client machine from malicious code.  (Stop laughing, I’m serious! J)  It provides a programming model to allow the logic of application written in JavaScript to execute as well as a UI object model (HTML DOM) to allow code to render data to the user.  It also provides the mechanisms for sending and receiving data to and from the application server via XmlHttp.
Smart Client:  In a typical smart client application the execution environment is the .NET CLR with significant security sandboxing.  The CLR provides the security infrastructure to protect the client machine from malicious code as well as providing the framework for logic written in .NET code to run.  It also provides UI features via the System.Windows.Forms namespace to allow the logic to interact with the user.  And lastly, it provides the mechanisms to communicate with the application server via XML and SOAP. 

Data
AJAX:  In an AJAX application the data being sent across the wire is always XML.  It may have various protocols applied and the raw data may be XML or JSON objects.  HTTP is also the only protocol used.  Because the data is no longer embedded in repetitive UI markup it is much smaller and so there is a serious opportunity for increased performance of the application as a whole.  Data can be cached locally through the use of application server generated JavaScript files.
Smart Client:  A smart client application has a bit more freedom about how to get objects across the wire.  It can use HTTP or several other protocols, it can send and receive data in a number of formats including binary.  But in most cases, for the sake of interoperability and accessibility through firewalls, it’s a good idea to stick to web standard protocols of XML and HTTP just like AJAX.  And also like AJAX, only the data and protocol plumbing need be sent back and forth increasing performance of the application overall.  Data can be cached locally in an isolated area.

UI Logic
AJAX:  The UI logic of an AJAX application is programmed via JavaScript.  The logic can render data from the application server to the browser via the HTML DOM and validate input from the user.  It can handle events on the UI and make subsequent requests for more functionality/data from the application server.  It is fundamentally responsible for the user experience of the application.
Smart Client:  In a smart client application, the UI logic is programmed with any .NET language.  The UI logic can render data to the client via calls into the WinForms namespaces.  It can validate input from the user before making subsequent calls to the application server.  It also is fundamentally responsible for the user experience of the application.

GUI
AJAX:  The user interface for an AJAX application is rendered as a combination of HTML DOM objects and CSS styles.  The individual browser specifies the limits of what can be accomplished graphically in the user interface but a common standard set of features has been hammered out amongst vendors. 
Smart Client:  The user interface for a smart client application is rendered via Win32 calls on the Windows operating system.  It is limited by the features and functionality supported by the WinForms namespaces as well as those features allowed by the security context. 

Up to this point I’ve been speaking of the capabilities of AJAX but not necessarily the implementation, or at least not what I believe is the common implementation provided by AJAX.NET.  In most applications that tout themselves as being “AJAX Enabled”, a significant portion of the UI logic is still taking place on the server.  So why, you ask is that bad?  Of course it’s not “bad”, it’s just not the best use of a centralized (aka limited) resource that is your application server and is old fashioned Web 1.0 thinking.  No server, regardless of how powerful, can come close to the rendering power of 100 client CPUs much less the thousands deployed throughout organizations all over the world.  Since the CPUs are there and the capability to use them exists, doesn’t it make sense to push the UI logic to those devices?

So how then do we architect an AJAX application that keeps the UI logic on the client machine?  Here are a few simple rules that should help.

1. HTML pages contain only static layout and file references. The caching features available for HTML pages make static pages very fast to access. Since all UI logic is being done on the client these pages could even be .HTML files instead of parsed .ASPX pages.


2. Use CSS for all UI specific features. The advantages to using CSS for layout and UI features is nothing new, websites are being built every day using CSS styles instead of the more traditional tag properties.


3. Build your UI logic from a “client-only” point of view. This means that the client JavaScript makes the calls to the server for business functionality and then builds the UI using new and existing DOM objects. It then handles events from the user and sends more requests. Lather, Rinse, Repeat.
   What is needed to enable this type of development is a combination of tooling and client side frameworks.  While the Microsoft AJAX library has a lot of the basic features for calling web services already built in, I think there is more work to do there as well as in Visual Studio to make client side JavaScript development easier.  The good news is that improvements in Visual Studio “Orcas” as well as the new Expression Web Designer are going to make working with client side JavaScript and CSS much easier… eventually.


4. Resist the urge to use server side controls like the UpdatePanel that while making your development more productive, continue the Web 1.0 paradigm of building web applications by combining the UI markup with the data on the application server machines and rendering the client PCs as little more than dumb terminals.